Re: How can I delete apache included in the base system?
On 3/10/06, Diogin [EMAIL PROTECTED] wrote: Hello, every one: I am sorry to ask thus stupid question. I have read the FAQ, but I couldn't find any way to delete apache totally. Now I want to use apache 2.0.55, but I'm worry about conflict. Can some one help me? Thans very much! You promise you never post a question on this list again? I don't think you will get much help with this stupid demolition. Don't mess with the base system unless you know what you are doing, and reading your post, you clearly don't. Wijnand -- No virus was found in this outgoing message as I didn't bother looking. This is not an automated signature. I type this in to the bottom of every message.
Re: How can I delete apache included in the base system?
On Fri, Mar 10, 2006 at 02:13:03PM +0800, Diogin wrote: Hello, every one: I am sorry to ask thus stupid question. I have read the FAQ, but I couldn't find any way to delete apache totally. Now I want to use apache 2.0.55, but I'm worry about conflict. Can some one help me? Thans very much! There is no reason to delete the included Apache install, per se. There is no facility to do it easily, either. Quite a few people run Apache 2 on OpenBSD, so it does work, but I'm not sure just how well it works. Certainly, Apache 2 uses threads quite a bit and threads are not that fast on OpenBSD (though that is fast improving). Anyway, stick with the included Apache if possible, or just compile and install the new Apache 2 somewhere you like. As long as it isn't under /usr (but, for instance, under /usr/local or /opt), no conflict will arise. Though you do have to make sure that you are calling the proper apachectl when starting. Joachim
Re: OpenBGPd with dynamic keying (ipsec ike support)
On 09/03/06, Florian Daniel Otel [EMAIL PROTECTED] wrote: Hello all, I have the following question (== misunderstanding from my part?) w.r.t. openbgp support for dynamic keying: I was living under the impression (hope?) that the said support means not only that the keys for the BGP peering session per se are established dynamically but also that the SPD itself is kept in sync with the coresp. BGP routing info i.e. bgp updates the IPsec flows to be consistent with the BGP routing info exchanged with the said peer. Without ever having looked at this I would guess that openbgpd support for dynamic keying is for securing the bgp session itself, nothing more. /Tony -- Tony Sarendal - [EMAIL PROTECTED] IP/Unix -= The scorpion replied, I couldn't help it, it's my nature =-
Re: Ralink USB
On Fri, Mar 10, 2006 at 04:54:08PM +1100, Rod.. Whitworth wrote: Today I received a D-Link DWL-G122 . Unfortunately it is not a v. B1 - it is C1. If the box (i386) is booted on a 3.9beta #617 with the device plugged in it gets a dmesg line that says: Ralink 802.11 bg WLAN Class 0/0, rev 2.00/0/01 addr 2, uhub 1 port 2 not configured I expected the last two words in that message - man page told me that B1 was it for a G122. The usbdevs command with -dv says a bit more: port 2 addr 2: full speed, power 300 mA, config 1, 802.11 bg WLAN(0x3c03), Ralink (0x07d1), rev 0.01 Show the .inf file that came with the windows driver and the FCC ID. You having an address in your headers I could send mail to would help matters as well.
Re: OpenBGPd with dynamic keying (ipsec ike support)
On Fri, Mar 10, 2006 at 09:36:07AM +, tony sarendal wrote: On 09/03/06, Florian Daniel Otel [EMAIL PROTECTED] wrote: Hello all, I have the following question (== misunderstanding from my part?) w.r.t. openbgp support for dynamic keying: I was living under the impression (hope?) that the said support means not only that the keys for the BGP peering session per se are established dynamically but also that the SPD itself is kept in sync with the coresp. BGP routing info i.e. bgp updates the IPsec flows to be consistent with the BGP routing info exchanged with the said peer. Without ever having looked at this I would guess that openbgpd support for dynamic keying is for securing the bgp session itself, nothing more. Yes, this is correct. -- :wq Claudio
Re: Ralink USB
On Fri, 10 Mar 2006 20:42:44 +1100, Jonathan Gray wrote: On Fri, Mar 10, 2006 at 04:54:08PM +1100, Rod.. Whitworth wrote: Today I received a D-Link DWL-G122 . Unfortunately it is not a v. B1 - it is C1. If the box (i386) is booted on a 3.9beta #617 with the device plugged in it gets a dmesg line that says: Ralink 802.11 bg WLAN Class 0/0, rev 2.00/0/01 addr 2, uhub 1 port 2 not configured I expected the last two words in that message - man page told me that B1 was it for a G122. The usbdevs command with -dv says a bit more: port 2 addr 2: full speed, power 300 mA, config 1, 802.11 bg WLAN(0x3c03), Ralink (0x07d1), rev 0.01 Show the .inf file that came with the windows driver and the FCC ID. You having an address in your headers I could send mail to would help matters as well. Sorry about the email address. You can simply prefix the reply to address with the letter g to get to the alternate mailbox or use ash at witworx dot com. Now as to data requested. The FCC ID is easy as they put it on the outside of the plastic case: KA2WLG122C1 It also shows the firmware as Ver 3.00 Apart from the autorun.inf the CD has nothing in the way of .inf files. So I loaded the software and found that there are several infs one of which (named NetRTAGU.inf) does contain a header that says: AG122.INF ; ; This installation script supports Windows 98, Me, 2000 and XP for the ; RT2570 802.11a/b/g USB Adapters. and that looks the closest of all of the files BUT this thing claims only 802.11g and mentions 11b compatibility in passing in the manual. No 11a in sight. Maybe the driver is selective Does this sound like the file you want? If so shall I attach it to a message directly to you? It is about 16k in size. Regards, Rod. From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: Ralink USB
On Fri, Mar 10, 2006 at 09:18:10PM +1100, Rod.. Whitworth wrote: On Fri, 10 Mar 2006 20:42:44 +1100, Jonathan Gray wrote: On Fri, Mar 10, 2006 at 04:54:08PM +1100, Rod.. Whitworth wrote: Today I received a D-Link DWL-G122 . Unfortunately it is not a v. B1 - it is C1. If the box (i386) is booted on a 3.9beta #617 with the device plugged in it gets a dmesg line that says: Ralink 802.11 bg WLAN Class 0/0, rev 2.00/0/01 addr 2, uhub 1 port 2 not configured I expected the last two words in that message - man page told me that B1 was it for a G122. The usbdevs command with -dv says a bit more: port 2 addr 2: full speed, power 300 mA, config 1, 802.11 bg WLAN(0x3c03), Ralink (0x07d1), rev 0.01 Show the .inf file that came with the windows driver and the FCC ID. You having an address in your headers I could send mail to would help matters as well. Sorry about the email address. You can simply prefix the reply to address with the letter g to get to the alternate mailbox or use ash at witworx dot com. Now as to data requested. The FCC ID is easy as they put it on the outside of the plastic case: KA2WLG122C1 It also shows the firmware as Ver 3.00 Apart from the autorun.inf the CD has nothing in the way of .inf files. So I loaded the software and found that there are several infs one of which (named NetRTAGU.inf) does contain a header that says: AG122.INF ; ; This installation script supports Windows 98, Me, 2000 and XP for the ; RT2570 802.11a/b/g USB Adapters. and that looks the closest of all of the files BUT this thing claims only 802.11g and mentions 11b compatibility in passing in the manual. No 11a in sight. Maybe the driver is selective It depends what radio the MAC is paired with as to whether 11a is functional. Does this sound like the file you want? If so shall I attach it to a message directly to you? It is about 16k in size. Try this patch first. You will have to run make in /usr/src/sys/dev/usb/ to regenerate the headers after applying it. Index: sys/dev/usb/usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.185 diff -u -p -r1.185 usbdevs --- sys/dev/usb/usbdevs 5 Mar 2006 06:41:36 - 1.185 +++ sys/dev/usb/usbdevs 10 Mar 2006 10:47:42 - @@ -283,6 +283,7 @@ vendor ALLIEDTELESYN0x07c9 Allied Teles vendor AVERMEDIA 0x07ca AVerMedia Technologies vendor SIIG0x07cc SIIG vendor CASIO 0x07cf CASIO +vendor DLINK2 0x07d1 D-Link vendor APTIO 0x07d2 Aptio Products vendor ARASAN 0x07da Arasan Chip Systems vendor ALLIEDCABLE 0x07e6 Allied Cable @@ -847,6 +848,7 @@ product DLINK DWL120E 0x3200 DWL-120 re product DLINK DWL122 0x3700 DWL-122 product DLINK DWL120F 0x3702 DWL-120 rev F product DLINK RT2570 0x3c00 RT2570 +product DLINK2 DWLG122C1 0x3c03 DWL-G122 rev C1 product DLINK DSB650C 0x4000 10Mbps ethernet product DLINK DSB650TX10x4001 10/100 ethernet product DLINK DSB650TX 0x4002 10/100 ethernet Index: sys/dev/usb/if_ral.c === RCS file: /cvs/src/sys/dev/usb/if_ral.c,v retrieving revision 1.65 diff -u -p -r1.65 if_ral.c --- sys/dev/usb/if_ral.c19 Feb 2006 08:44:17 - 1.65 +++ sys/dev/usb/if_ral.c10 Mar 2006 10:47:45 - @@ -90,6 +90,7 @@ static const struct usb_devno ural_devs[ { USB_VENDOR_CISCOLINKSYS, USB_PRODUCT_CISCOLINKSYS_HU200TS }, { USB_VENDOR_CONCEPTRONIC2, USB_PRODUCT_CONCEPTRONIC2_C54RU }, { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_RT2570 }, + { USB_VENDOR_DLINK2,USB_PRODUCT_DLINK2_DWLG122C1 }, { USB_VENDOR_GIGABYTE, USB_PRODUCT_GIGABYTE_GNWBKG }, { USB_VENDOR_GUILLEMOT, USB_PRODUCT_GUILLEMOT_HWGUSB254 }, { USB_VENDOR_MELCO, USB_PRODUCT_MELCO_KG54 },
Re: Pre-orders for our releases.
On 3/10/06, Theo de Raadt [EMAIL PROTECTED] wrote: But financially we are under strain, and it is not letting us grow any of our bigger plans. It sounds like you really have big plans. Maybe it is a good idea to tell about them, maybe that will make the big companies interested in sponsoring some of that work. And what... they'll help us out like they helped us with OpenSSH? Maybe I think too good about people/companies, but maybe if you want to create and a company really likes that they maybe sponsor. If you have big plans and need money for that and that company really needs feature they might think hey let's sponsor this. But I am just guessing, maybe the world we live in is worse than I have in mind. Anyway, keep up the good work. Wijnand
Re: crash: savecore - saves core dump every day?
2006/3/10, Nick Holland [EMAIL PROTECTED]: I'm not entirely sure I understand your question, the subject and the body of your message don't seem to be completely related. However, I think you may find the answers to your questions in man 8 crash Third paragraph (more or less, depending what one counts) tells what conditions cause the in-RAM image to be written to disk in the swap partition. If that happens, an attempt will be made to dump it to physical disk upon reboot. Will try to ask more clearly: How does savecore work in sense of detecting that condition to save core dump to swap space has been accomplished? Does it get message from kernel (which IPC technique?) or does it something like polling for special event (eg. newly created file)? regards
Re: crash: savecore - saves core dump every day?
Stefan Drexleri wrote: 2006/3/10, Nick Holland [EMAIL PROTECTED]: I'm not entirely sure I understand your question, the subject and the body of your message don't seem to be completely related. However, I think you may find the answers to your questions in man 8 crash Third paragraph (more or less, depending what one counts) tells what conditions cause the in-RAM image to be written to disk in the swap partition. If that happens, an attempt will be made to dump it to physical disk upon reboot. Will try to ask more clearly: How does savecore work in sense of detecting that condition to save core dump to swap space has been accomplished? Does it get message from kernel (which IPC technique?) or does it something like polling for special event (eg. newly created file)? Savecore is running after a reboot. It isn't getting a message from the now dead kernel through traditional techniques. After a kernel panic, it is generally not a great idea to write a normal file to a normal file system. As man 8 savecore indicates, it looks at the swap space to see if it looks like a valid core dump. If so, it dumps to disk. If you need more info on how it determines that, I'd suggest a read of the source code. If you really need that kind of information, you will probably have no problem with the source code (pretty small and contained, too -- about 16k in size). I suspect there is a question you are trying not to ask. What is prompting your questions? Are you having a problem? Trying to accomplish something? Nick.
Re: OpenBGPd with dynamic keying (ipsec ike support)
Without ever having looked at this I would guess that openbgpd support for dynamic keying is for securing the bgp session itself, nothing more. Yes, this is correct. *sigh*. There goes hopes for elegant BGP-IPsec VPNs, back to BGP over GRE over IPsec. Thanks Claudio, Tony for clearing this out, Florian
Re: ipsec.conf question
hi, you have a main misunderstanding here because you're mixing up the identities with the flows. On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote: i am using -current as of 24.02.2006 and made a realese for my other machines. i tried the ipsec tutorial which was posted on undeadly.org. i have to go with one gateway which has a dynamic ip because it is an adsl-connection which is disconnected after 24 hours. when i try to fire up the command ipsecctl -f /etc/ipsec.conf i get a syntax error for each line where i put in the fqdn of the remote host (which is dstid). i read the manpage of ipsec.conf(5) where it says srcid fqdn This optional parameter defines a FQDN that will be used by isakmpd(8) as the identity of the local peer. dstid fqdn Similar to srcid, this optional parameter defines a FQDN to be used by the remote peer. and from src to dst peer remote This rule applies for packets with source address src and desti- nation address dst. All addresses are specified in CIDR nota- tion. The keyword any will match any address (i.e. 0.0.0.0/0). The peer parameter specifies the address of the remote endpoint of this particular flow. For host-to-host connections where dst is identical to remote, the peer specification can be left out. the flows are used to determine which traffic should be encrypted and the peer is the address of your vpn gateway. all addresses are specified in CIDR notation. the identity is an additional parameter which is used a simple authentication string on the remote side, i.e. if you specify a srcid blablahblahblahblah with RSA signatures (default in ipsecctl) the remote side will lookup the client's RSA public key in /etc/isakmpd/pubkeys/fqdn/blablahblahblahblah. i tried this and get a syntax error. my /etc/ipsec.conf looks like this: # cat /etc/ipsec.co ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ^ this makes no sense ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 dstid full-qualified.domain.name ike passive esp from XXX.XXX.XX.XXX/25 to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ike passive esp from XXX.XXX.XXX.XX to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ike passive esp from XXX.XXX.XXX.XX to dstid full-qualified.domain.name dito the output is the following: # ipsecctl -nf /etc/ipsec.conf /etc/ipsec.conf: 1: syntax error /etc/ipsec.conf: 2: syntax error /etc/ipsec.conf: 3: syntax error /etc/ipsec.conf: 4: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded on the other machine the config is similar and the error-message too (everywhere, i put a fqdn as srcid). /etc/ipsec.conf: ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer XXX.XXX.XXX.XX ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.XXX/25 peer XXX.XXX.XXX.XX ike esp from srcid fully-qualified.domain.name to 192.168.83.0/24 peer \ XXX.XXX.XXX.XX ^ this is wrong ike esp from any to 192.168.83.0/24 peer XXX.XXX.XXX.XX srcid fully-qualified.domain.name ike esp from srcid fully-qualified.domain.name to XXX.XXX.XX.XXX/25 \ peer XXX.XXX.XXX.XX ike esp from srcid fully-qualified.domain.name to XXX.XXX.XXX.XX dito output: # ipsecctl -f /etc/ipsec.conf /etc/ipsec.conf: 3: syntax error /etc/ipsec.conf: 4: syntax error /etc/ipsec.conf: 5: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded can anyone point my in the correct direction, plz? thx a lot marc dmesg: OpenBSD 3.9-beta (GENERIC) #1: Wed Mar 8 10:23:11 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 535318528 (522772K) avail mem = 481447936 (470164K) using 4278 buffers containing 26869760 bytes (26240K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(64) BIOS, date 12/14/00, BIOS32 rev. 0 @ 0xf0b90 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x13d2 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1300/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x5400 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 Intel 82815 Hub rev 0x02: rng active, 398Kb/sec vga1 at pci0 dev 2 function 0 Intel 82815 Graphics rev 0x02: aperture at 0xf800, size 0x400 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) ppb0
Re: Pre-orders for our releases.
Back on the issue of the t-shirt suggestion. How about on the back of OpenBSD t-shirts, the slogan: Parasites don't puff, or even blow, they suck! Catchy, is it not? I'll get my coat. -- Best regards, Craig http://slashboot.org/
Re: Pre-orders for our releases.
On 10/03/06, Wijnand Wiersma [EMAIL PROTECTED] wrote: On 3/10/06, Theo de Raadt [EMAIL PROTECTED] wrote: But financially we are under strain, and it is not letting us grow any of our bigger plans. It sounds like you really have big plans. Maybe it is a good idea to tell about them, maybe that will make the big companies interested in sponsoring some of that work. And what... they'll help us out like they helped us with OpenSSH? Maybe I think too good about people/companies, but maybe if you want to create and a company really likes that they maybe sponsor. If you have big plans and need money for that and that company really needs feature they might think hey let's sponsor this. I doubt this will help. The main idea of OpenBSD development is freedom, people just hack for fun! If you are going to promise to develop , then you are putting unnecessary constrains on what you are about to do. If a company really wants to have this specific feature that you are talking about, it may try to write Theo a personal email and ask if anyone is interested in being sponsored to write this feature as they wish. Yes, as developers wish, -- remember, you cannot donate and say, I want archaic telnetd rewritten, back in the tree and promoted on the web-site. :-) Cheers, Constantine.
OpenBSD - Cisco IPSEC
Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo
Re: Pre-orders for our releases.
Talk is really cheap. Getting a business, either the one you work for or a vendor, to donate hardware or funding is much harder. So instead of TALKING about it what you MIGHT do, go out and find equipment/funding from somewhere. Once you get something concrete notify Theo of what you have. This process works. diana
Re: OpenBSD - Cisco IPSEC
On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Ehlo More info is required. Cisco is a company that grows via acquisition, therefore they have several different VPN solutions. Also, I did a quick search on Google for Cisco and OpenBSD ipsec and there are over 95k English hits. The very first response is OpenBSD IPSEC with cisco - HOWTO. diana
Re: ipsec.conf question
thx for your answer. Reyk Floeter schrieb: hi, you have a main misunderstanding here because you're mixing up the identities with the flows. On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote: i am using -current as of 24.02.2006 and made a realese for my other machines. i tried the ipsec tutorial which was posted on undeadly.org. i have to go with one gateway which has a dynamic ip because it is an adsl-connection which is disconnected after 24 hours. when i try to fire up the command ipsecctl -f /etc/ipsec.conf i get a syntax error for each line where i put in the fqdn of the remote host (which is dstid). i read the manpage of ipsec.conf(5) where it says srcid fqdn This optional parameter defines a FQDN that will be used by isakmpd(8) as the identity of the local peer. dstid fqdn Similar to srcid, this optional parameter defines a FQDN to be used by the remote peer. and from src to dst peer remote This rule applies for packets with source address src and desti- nation address dst. All addresses are specified in CIDR nota- tion. The keyword any will match any address (i.e. 0.0.0.0/0). The peer parameter specifies the address of the remote endpoint of this particular flow. For host-to-host connections where dst is identical to remote, the peer specification can be left out. the flows are used to determine which traffic should be encrypted and the peer is the address of your vpn gateway. all addresses are specified in CIDR notation. the identity is an additional parameter which is used a simple authentication string on the remote side, i.e. if you specify a srcid blablahblahblahblah with RSA signatures (default in ipsecctl) the remote side will lookup the client's RSA public key in /etc/isakmpd/pubkeys/fqdn/blablahblahblahblah. i tried this and get a syntax error. my /etc/ipsec.conf looks like this: # cat /etc/ipsec.co ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ^ this makes no sense ike passive esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 dstid full-qualified.domain.name okay, understanding this. in this coloumn i have internal adresses and ipsecctl needs a peer for this. but the peer is on a consumer adsl-line and therefore i need a fqdn for this because of the disconnection after 24h. is there any possibility to get this working? or do i have to use any as the peer and just only set the dstid? ike passive esp from XXX.XXX.XX.XXX/25 to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ike passive esp from XXX.XXX.XXX.XX to XXX.XXX.XX.X/24 peer dstid \ full-qualified.domain.name ike passive esp from XXX.XXX.XXX.XX to dstid full-qualified.domain.name dito the output is the following: # ipsecctl -nf /etc/ipsec.conf /etc/ipsec.conf: 1: syntax error /etc/ipsec.conf: 2: syntax error /etc/ipsec.conf: 3: syntax error /etc/ipsec.conf: 4: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded on the other machine the config is similar and the error-message too (everywhere, i put a fqdn as srcid). /etc/ipsec.conf: ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.X/24 peer XXX.XXX.XXX.XX ike esp from XXX.XXX.XX.X/24 to XXX.XXX.XX.XXX/25 peer XXX.XXX.XXX.XX ike esp from srcid fully-qualified.domain.name to 192.168.83.0/24 peer \ XXX.XXX.XXX.XX ^ this is wrong ike esp from any to 192.168.83.0/24 peer XXX.XXX.XXX.XX srcid fully-qualified.domain.name ike esp from srcid fully-qualified.domain.name to XXX.XXX.XX.XXX/25 \ peer XXX.XXX.XXX.XX ike esp from srcid fully-qualified.domain.name to XXX.XXX.XXX.XX dito output: # ipsecctl -f /etc/ipsec.conf /etc/ipsec.conf: 3: syntax error /etc/ipsec.conf: 4: syntax error /etc/ipsec.conf: 5: syntax error ipsecctl: Syntax error in config file: ipsec rules not loaded can anyone point my in the correct direction, plz? thx a lot marc dmesg: OpenBSD 3.9-beta (GENERIC) #1: Wed Mar 8 10:23:11 CET 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class) 1.01 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE real mem = 535318528 (522772K) avail mem = 481447936 (470164K) using 4278 buffers containing 26869760 bytes (26240K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(64) BIOS, date 12/14/00, BIOS32 rev. 0 @ 0xf0b90 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 30102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x13d2 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1300/208 (11 entries) pcibios0: PCI Interrupt Router at 000:31:0 (Intel 82371FB ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xc000 0xcc000/0x5400 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration
Re: ipsec.conf question (dynamic and bypass example)
btw., On Thu, Mar 09, 2006 at 09:29:29PM +0100, Marc Peters wrote: i am using -current as of 24.02.2006 and made a realese for my other machines. i tried the ipsec tutorial which was posted on undeadly.org. i have to go with one gateway which has a dynamic ip because it is an adsl-connection which is disconnected after 24 hours. when i try to fire last week i commited two useful extensions to ipsecctl. - ike dynamic esp When active or dynamic is specified, negotiation will be started at once. The dynamic mode will additionally enable Dead Peer Detection (DPD) and use the local hostname as the identity of the local peer, if not specifed by the srcid parameter. dynamic mode should be used for hosts with dynamic IP addresses like road warriors or dialup hosts. The DPD option forces the dialup hosts to reconnect after a few seconds if they loose the IKE connection (i.e. in case of a provider-forced reconnect and a new IPv4 address). - bypass / deny flows bypass flow is used to specify a flow for which security processing will be bypassed: matching packets will not be processed by any other flows and handled in normal operation. A deny flow is used to drop any matching packets. The bypass flows are useful for VPN-subnets, see the examples below. This is a simplified example of a real-world scenario (sorry, I like ASCII art...): [ A-DSL ]---() ( Internet )-[ VPN-Gateway ] [ A-DSL ]---() | (Laptops)---+ \_/ VPN 172.16.0.0/16 1.) There are several A-DSL hosts with dynamic IPv4 addresses. 2.) The VPN-Gateway is an internet host with a fixed IPv4 address. 3.) The Laptops are using OpenSSH layer 3 VPN tunneling over TCP (works everywhere...) Configuration examples ([VPN-GATEWAY] is the IPv4 address of the gateway): 1.) Configuration and setup on the A-DSL Host firsthost.my.domain - Initial configuration (you could use keynote and isakmpd.conf, but it is not required) # rm /etc/isakmpd/isakmpd.* # scp [VPN-GATEWAY]:/etc/isakmpd/private/local.pub /etc/isakmpd/pubkeys/ipv4/[VPN-GATEWAY] # scp /etc/isakmpd/private/local.pub [VPN-GATEWAY]:/etc/isakmpd/pubkeys/fqdn/$(hostname) - The internal interface is attached to the local /24 network, set a route to the /16 VPN # cat /etc/hostname.xl0 inet 172.16.10.1 255.255.255.0 172.16.10.255 !route add 172.16.0.0/16 -iface 172.16.10.1 - ipsec configuration (that's all!) # cat /etc/ipsec.conf flow from 172.16.10.0/24 to 172.23.10.0/24 type bypass ike dynamic esp from 172.16.10.0/24 to 172.16.0.0/16 peer [VPN-GATEWAY] - Setup firewall rules in /etc/pf.conf for the VPN (ike, esp, ...) - Start isakmpd # isakmpd -K ipsecctl -f /etc/ipsec.conf 2.) Configuration on the VPN-Gateway - Initial configuration... # rm /etc/isakmpd/isakmpd.* - ipsec configuration # cat /etc/ipsec.conf ike passive esp from 172.16.10.0/24 to [VPN-GATEWAY] dstid firsthost.my.domain ike passive esp from 172.16.11.0/24 to [VPN-GATEWAY] dstid secondhost.my.domain ike passive esp from 172.16.12.0/24 to [VPN-GATEWAY] dstid thirdhost.my.domain - Setup firewall rules in /etc/pf.conf for the VPN (ike, esp, ...) - Start isakmpd # isakmpd -K ipsecctl -f /etc/ipsec.conf 3.) The laptops are using /30 subnets in the 172.16.0.0/16 range and they're reachable via the VPN. Have a look at ssh_config(5) or the src/usr.bin/ssh/README.tun file for details. SSH-VPN can be used almost everywhere (even with HTTP-proxies and CONNECT, that's a benefit of TCP over UDP or ESP) and it's the ideal solution for mobile users with temporary connections. and it just works... :) Currently, all the ipsec-hosts are running OpenBSD (what else?) and the Laptops are running OpenBSD, Linux and MacOS X 10.4. reyk -- /* .vantronix|secure systems - (research development) * reyk floeter - friendly known free software engineer * [EMAIL PROTECTED] - http://team.vantronix.net/reyk/ */
Re: ipsec.conf question (dynamic and bypass example)
On Fri, Mar 10, 2006 at 03:53:15PM +0100, Reyk Floeter wrote: 3.) The laptops are using /30 subnets in the 172.16.0.0/16 range and they're reachable via the VPN. Have a look at ssh_config(5) or the src/usr.bin/ssh/README.tun file for details. SSH-VPN can be used almost everywhere (even with HTTP-proxies and CONNECT, that's a benefit of TCP over UDP or ESP) and it's the ideal solution for mobile users with temporary connections. Ah, and I forgot to mention the section SSH-BASED VIRTUAL PRIVATE NETWORKS in the ssh(1) manual page! reyk -- /* .vantronix|secure systems - (research development) * reyk floeter - friendly known free software engineer * [EMAIL PROTECTED] - http://team.vantronix.net/reyk/ */
Re: Pre-orders for our releases.
A thought suddenly occurs. Perhaps big companies that use OpenBSD do not want to disclose their use by donating because they fear that this might give their competitors an advantage(now their competitors know what OS they're using), or might help crackers/s-kiddies/etc. attack that company now that they know what OS they're running (this is not an attack on OpenBSD's security. I'm saying that anybody could take a secure OS and make it insecure, even multi-million dollar corporations) Wijnand Wiersma wrote: On 3/10/06, Theo de Raadt [EMAIL PROTECTED] wrote: But financially we are under strain, and it is not letting us grow any of our bigger plans. It sounds like you really have big plans. Maybe it is a good idea to tell about them, maybe that will make the big companies interested in sponsoring some of that work. And what... they'll help us out like they helped us with OpenSSH? Maybe I think too good about people/companies, but maybe if you want to create and a company really likes that they maybe sponsor. If you have big plans and need money for that and that company really needs feature they might think hey let's sponsor this. But I am just guessing, maybe the world we live in is worse than I have in mind. Anyway, keep up the good work. Wijnand
Re: Pre-orders for our releases.
On 10/03/06, A Rossi [EMAIL PROTECTED] wrote: A thought suddenly occurs. Perhaps big companies that use OpenBSD do not want to disclose their use by donating because they fear that this might give their competitors an advantage(now their competitors know what OS they're using), or might help crackers/s-kiddies/etc. attack that company now that they know what OS they're running (this is not an attack on OpenBSD's security. I'm saying that anybody could take a secure OS and make it insecure, even multi-million dollar corporations) I don't get how you've come up to this strange conclusion... Since when does OpenBSD not accept anonymous donations?
Re: Pre-orders for our releases.
OpenBSd always charges nothing back, that's an ideology (that's the way i see). The price of ideologies in a world like ours is expensive. For instance, i am tired of seeing big players using openssh and the like. They give nothing back to OpenBSD. Probable the thrid BSD license clause should be incorporated again. This would help than with an argument for supporting openbsd. Or they advertises openbsd is being used by them, or they cash something back. This way could be a means to estabilish a tradeoff for them to decide. Thanks. 2006/3/10, Wijnand Wiersma [EMAIL PROTECTED]: On 3/10/06, Theo de Raadt [EMAIL PROTECTED] wrote: But financially we are under strain, and it is not letting us grow any of our bigger plans. It sounds like you really have big plans. Maybe it is a good idea to tell about them, maybe that will make the big companies interested in sponsoring some of that work. And what... they'll help us out like they helped us with OpenSSH? Maybe I think too good about people/companies, but maybe if you want to create and a company really likes that they maybe sponsor. If you have big plans and need money for that and that company really needs feature they might think hey let's sponsor this. But I am just guessing, maybe the world we live in is worse than I have in mind. Anyway, keep up the good work. Wijnand
Re: Pre-orders for our releases.
From: [EMAIL PROTECTED] OpenBSd always charges nothing back, that's an ideology (that's the way i see). The price of ideologies in a world like ours is expensive. For instance, i am tired of seeing big players using openssh and the like. They give nothing back to OpenBSD. Probable the thrid BSD license clause should be incorporated again. This would help than with an argument for supporting openbsd. Or they advertises openbsd is being used by them, or they cash something back. This way could be a means to estabilish a tradeoff for them to decide. And yet the meaning of free still escapes you. If you want these bastards to pay you for the software they use and make money off of, then you license it in such a way that makes them pay for it. Since the larger goal is to promote freedom in software usage (and by all definitions of the word), then this is obviously not the solution anyone wants. The BSD license doesn't make anyone give back, nor is it intended to. Charity, guilt, conscience, appreciation, or just because you're a good guy are all reasons to give back. Corporate America cares about none of these. It's a sad reality. But at this point I think its a safe bet that the OpenBSD project is not bent on world domination or getting rich and retiring to the Caymans on software sales. DS
Re: OpenBSD - Cisco IPSEC
On Fri, Mar 10, 2006 at 08:12:59AM -0500, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). depending on whether this is relevant to your needs or not, vpnc from ports(/security) works well for me. the 0.3.3 one does some cute xauth stuff (i guess?) and pulls down routes automagically. seems like work went into the vpnc-script. i am using vpnc just to access work-vpn, tho, and not for something such as setting up a permanant tunnel between two gateways. -- jared [ openbsd 3.9-beta GENERIC ( jan 30 ) // i386 ]
Re: OpenBSD - Cisco IPSEC
On 3/10/06, jared r r spiegel [EMAIL PROTECTED] wrote: i am using vpnc just to access work-vpn, tho, and not for something such as setting up a permanant tunnel between two gateways. AFAIK vpnc does not support rekeying yet, and that sucks :-)
numlockx
numlockx doesn't seem to have any effect on either of my computers. I've tried both numlockx-1.0 from ports and http://ktown.kde.org/~seli/numlockx/numlockx-1.1.tar.gz so I'm suspecting OpenBSD X11. My Xorg logs and confs are at http://enop.org/obsd/
FW: Pre-orders for our releases.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Spruell, Darren-Perot Sent: March 10, 2006 12:34 PM To: misc@openbsd.org Subject: Re: Pre-orders for our releases. From: [EMAIL PROTECTED] OpenBSd always charges nothing back, that's an ideology (that's the way i see). The price of ideologies in a world like ours is expensive. For instance, i am tired of seeing big players using openssh and the like. They give nothing back to OpenBSD. Probable the thrid BSD license clause should be incorporated again. This would help than with an argument for supporting openbsd. Or they advertises openbsd is being used by them, or they cash something back. This way could be a means to estabilish a tradeoff for them to decide. And yet the meaning of free still escapes you. If you want these bastards to pay you for the software they use and make money off of, then you license it in such a way that makes them pay for it. Since the larger goal is to promote freedom in software usage (and by all definitions of the word), then this is obviously not the solution anyone wants. The BSD license doesn't make anyone give back, nor is it intended to. Charity, guilt, conscience, appreciation, or just because you're a good guy are all reasons to give back. Corporate America cares about none of these. It's a sad reality. But at this point I think its a safe bet that the OpenBSD project is not bent on world domination or getting rich and retiring to the Caymans on software sales. DS I wouldn't go quite that far. Corporate anywhere cares about charity. Actually, to be honest, they care about charitable receipts. So if they can donate money to someone and get a receipt to use for tax purposes then that makes their beancounters happy. Of course, for this to benefit OpenBSD they'd have to be registered as a charitable organization etc. etc. and that is probably somewhere they either don't want to or can't go (or they already have and I just don't know)
Reactivate Your Chase Account
[IMAGE] Customer Service message [IMAGE] We are glad to inform you that our bank has a new security system. The updated technology will insure the security of your payments trough our bank. Hoping you'll understand that we are doing this for your own safety, we suggest you to renew your account at our Customer Center. [IMAGE]Log into your account, using your User ID and Password. Note: If we do not receive the appropriate account verification within 48 hours, the account will be suspended. The purpose of this verification is to ensure that your bank account has not been fraudulently used and to combat the fraud from our community . ABOUT THIS MESSAGE This service message was delivered to you as a Chase credit card customer. If you wish to unsubscribe from e-mail messages from Chase Card Services, please click here. Please allow up to ten business days for us to process your request. Please do not reply to this message. Replies to this message will not be responded to. To contact Chase go to www.chase.com ) 2006 JPMorgan Chase Co.
Re: FW: Pre-orders for our releases.
Hi Craig, Of course, for this to benefit OpenBSD they'd have to be registered as a charitable organization etc. etc. and that is probably somewhere they either don't want to or can't go (or they already have and I just don't know) Ain't. Gonna. Happen. (See the archives; really) I think you'll have more luck trying to explain the meaning of karma to some PHB than raising this issue here. Have a nice one... Nico :-)
FW: FW: Pre-orders for our releases.
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Nico Meijer Sent: March 10, 2006 2:56 PM To: misc@openbsd.org Subject: Re: FW: Pre-orders for our releases. Hi Craig, Of course, for this to benefit OpenBSD they'd have to be registered as a charitable organization etc. etc. and that is probably somewhere they either don't want to or can't go (or they already have and I just don't know) Ain't. Gonna. Happen. (See the archives; really) I think you'll have more luck trying to explain the meaning of karma to some PHB than raising this issue here. Have a nice one... Nico :-) I have no argument with that. I was really only playing devil's advocate which is why I stated my ignorance. We're so far OT I wasn't going to dedicate the time for further research. As Theo said, if we're thinking of it now, he and everyone else have already been there, done that, got and sold the t-shirt, and now they want to get back to coding. :)
Re: carp and random disconnects
On 3/6/06, Bryan Irvine [EMAIL PROTECTED] wrote: We seem to be having a problem with random disconnects after instituting carp on our gateway. The problem is only happening with our telnet[1] users connected to our legacy systems. The problem only happens with remote users that come in via T1 and don't go through the gateway. The machines they are connecting to are using 10.0.0.1 as it's gateway and seems to occassionaly choke when receiving an icmp-redirect from 10.0.0.2 (or 10.0.0.3 depending on which one is master) when it has queried 10.0.0.1. It's really hard to duplicate and as such I don't have much debug info. A user might be connected for hours or a few minutes. Ideas on what I should be looking for? Adding a static routes to the legacy servers corrects this, but I don't really want to do that every time a site complains about disconnects (if there is an easier way that is). snip Would route-to be something I'd want to look at to fix this? Here's a dmesg from this machine: OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: AMD Athlon(TM) XP 1600+ (AuthenticAMD 686-class, 256KB L2 cache) 1.41 GHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,FXSR,SSE cpu0: AMD Powernow: FID real mem = 1073307648 (1048152K) avail mem = 972767232 (949968K) using 4278 buffers containing 53768192 bytes (52508K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(82) BIOS, date 05/07/03, BIOS32 rev. 0 @ 0xf17b0 apm0 at bios0: Power Management spec V1.2 (BIOS mgmt disabled) apm0: APM power management enable: unrecognized device ID (9) apm0: APM engage (device 1): power management disabled (1) apm0: AC on, battery charge unknown apm0: flags b0102 dobusy 0 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0x1e62 pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xf1d90/208 (11 entries) pcibios0: PCI Interrupt Router at 000:17:0 (VIA VT82C586 ISA rev 0x00) pcibios0: PCI bus #1 is the last bus bios0: ROM list: 0xc/0xcc00 0xd/0x1800 0xd4000/0x1000 0xd8000/0x1800 cpu0 at mainbus0 pci0 at mainbus0 bus 0: configuration mode 1 (no bios) pchb0 at pci0 dev 0 function 0 VIA VT8366 PCI rev 0x00 ppb0 at pci0 dev 1 function 0 VIA VT8366 AGP rev 0x00 pci1 at ppb0 bus 1 vga1 at pci1 dev 0 function 0 Nvidia GeForce2 MX rev 0xb2 wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation) wsdisplay0: screen 1-5 added (80x25, vt100 emulation) cmpci0 at pci0 dev 5 function 0 C-Media Electronics CMI8738/C3DX Audio rev 0x10: irq 10 audio0 at cmpci0 uhci0 at pci0 dev 9 function 0 VIA VT83C572 USB rev 0x50: irq 5 usb0 at uhci0: USB revision 1.0 uhub0 at usb0 uhub0: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1 at pci0 dev 9 function 1 VIA VT83C572 USB rev 0x50: irq 11 usb1 at uhci1: USB revision 1.0 uhub1 at usb1 uhub1: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered ehci0 at pci0 dev 9 function 2 VIA VT6202 USB rev 0x51: irq 10 usb2 at ehci0: USB revision 2.0 uhub2 at usb2 uhub2: VIA EHCI root hub, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered fxp0 at pci0 dev 12 function 0 Intel 82557 rev 0x0c, i82550: irq 5, address 00:0e:0c:71:1d:91 inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4 fxp1 at pci0 dev 13 function 0 Intel 82557 rev 0x08, i82559: irq 11, address 00:90:37:34:55:26 inphy1 at fxp1 phy 1: i82555 10/100 PHY, rev. 4 fxp2 at pci0 dev 14 function 0 Intel 82557 rev 0x08, i82559: irq 10, address 00:90:37:34:54:4d fxp2: Disabling dynamic standby mode in EEPROM, New ID 0x4080, cksum @ 0x3f: 0x - 0xc701 inphy2 at fxp2 phy 1: i82555 10/100 PHY, rev. 4 fxp3 at pci0 dev 15 function 0 Intel 82557 rev 0x08, i82559: irq 12, address 00:90:27:43:4f:b6 inphy3 at fxp3 phy 1: i82555 10/100 PHY, rev. 4 fxp4 at pci0 dev 16 function 0 Intel 82557 rev 0x0c, i82550: irq 5, address 00:0e:0c:74:ef:11 inphy4 at fxp4 phy 1: i82555 10/100 PHY, rev. 4 pcib0 at pci0 dev 17 function 0 VIA VT8233 ISA rev 0x00 pciide0 at pci0 dev 17 function 1 VIA VT82C571 IDE rev 0x06: ATA133, channel 0 configured to compatibility, channel 1 configured to compatibility wd0 at pciide0 channel 0 drive 0: WDC WD800JB-00CRA1 wd0: 16-sector PIO, LBA, 76319MB, 156301488 sectors wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5 atapiscsi0 at pciide0 channel 1 drive 0 scsibus0 at atapiscsi0: 2 targets cd0 at scsibus0 targ 0 lun 0: CyberDrv, CW078D CD-R/RW, 120D SCSI0 5/cdrom removable cd0(pciide0:1:0): using PIO mode 4, Ultra-DMA mode 2 uhci2 at pci0 dev 17 function 2 VIA VT83C572 USB rev 0x23: irq 9 usb3 at uhci2: USB revision 1.0 uhub3 at usb3 uhub3: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered uhci3 at pci0 dev 17 function 3 VIA VT83C572 USB rev 0x23: irq 9 usb4 at uhci3: USB revision 1.0 uhub4 at usb4 uhub4: VIA UHCI root hub, rev 1.00/1.00, addr 1 uhub4: 2 ports with 2 removable, self powered isa0 at pcib0
Re: FW: FW: Pre-orders for our releases.
Man, talk, talk, talk, blah, blah, blah. quit blathering and just do it!
Re: Pre-orders for our releases.
On 3/10/06, Wijnand Wiersma [EMAIL PROTECTED] wrote: Maybe I think too good about people/companies, but maybe if you want to create and a company really likes that they maybe sponsor. If you have big plans and need money for that and that company really needs feature they might think hey let's sponsor this. or they could start paying for the features they are already using today.
Re: carp and random disconnects
On 2006/03/10 12:19, Bryan Irvine wrote: On 3/6/06, Bryan Irvine [EMAIL PROTECTED] wrote: The problem only happens with remote users that come in via T1 and don't go through the gateway. The machines they are connecting to are using 10.0.0.1 as it's gateway and seems to occassionaly choke when receiving an icmp-redirect from 10.0.0.2 (or 10.0.0.3 depending on which one is master) when it has queried 10.0.0.1. Your post is missing a bit of information about the network, but if I'm not mistaken you sometimes have the start of the connection not passing through either firewall? If that's the case either make sure you allow packets from established connections that you don't have state for (this means you lose some of the protection of PF's stateful checking): i.e. don't use flags S/SA in the relevant rules... or rearrange the network routing so you don't need redirects (if you want advice on this you'll definitely need to post more details about the carp/PF setup, how the affected users reach the relevant hosts, etc: output from netstat -rn and ifconfig at strategic places will help illustrate, the PF ruleset may help too).
Re: FW: Pre-orders for our releases.
On 3/10/06, Craig Ryhorchuk [EMAIL PROTECTED] wrote: I wouldn't go quite that far. Corporate anywhere cares about charity. No, they don't care about charity. They care about tax deductions. There is a big difference between the two. I think this is a reason why Theo is loathe to start a non-profit organization and I completely agree. Greg
Re: Pre-orders for our releases.
On 3/10/06, Ted Unangst [EMAIL PROTECTED] wrote: On 3/10/06, Wijnand Wiersma [EMAIL PROTECTED] wrote: Maybe I think too good about people/companies, but maybe if you want to create and a company really likes that they maybe sponsor. If you have big plans and need money for that and that company really needs feature they might think hey let's sponsor this. or they could start paying for the features they are already using today. You are very right, but in this sad world that aint gonna happen. If there are big plans, and the companies could benefit from those big plans it might actually make them donate if those plans need real donations. It all depends on how big is the plan and how it will affect the usefullness of OpenBSD. When I read Theo's words in the first post I know for sure he really has big plans. But ok, I will shut up and go on in my little nasty dreamworld. Wijnand
Re: FW: Pre-orders for our releases.
I agree with those who have said that this thread is very largely a waste of time with lots of talk and little action coming from it apart from the few overt contributions to the power bill fund. Thanks to those people. For those of you who haven't thought of a way to contribute more than your personal $$ or those of your own business, how about what I am doing. I am writing personalised letters to businesses where I have used any OpenBSD technology informing them that my bills have not included a charge for OpenBSD/OpenSSH etc (as it applies to their business). I'll be relating to them that if it was MSFT/IBM/Novell/RedHat whatever they would have had considerably more to pay and that, whilst they can get more of OBSD free of charge, that won't necessarily continue without some voluntary contributions. I'll tell them that outfits like Apple, HP, IBM and Microsoft use OpenBSD produced software to enhance their products and largely don't contribute anything in return. Then I'll close by saying that I think that you ($RECIPIENT) are not so mean or shortsighted as the megaliths seem to be and will make a contribution in appreciation of past services and in anticipation of more high quality software from the talented OpenBSD team. Then I'll close with just the website donation URL as sending cheques from Australia is likely to cause hassles if anyone is silly enough to write one in $AUD and post it off with the payee as OpenBSD. Now I'll shut up and hack (some more letters). Maybe some of you can do the same? A bunch of smallish payments from SMBs would likely add up to more than we'll see from any of the biggies. Prove me wrong IBM/HP/Apple/MSFT ! From the land down under: Australia. Do we look umop apisdn from up over? Do NOT CC me - I am subscribed to the list. Replies to the sender address will fail except from the list-server.
Re: FW: Pre-orders for our releases.
On 3/10/06, Rod.. Whitworth [EMAIL PROTECTED] wrote: I agree with those who have said that this thread is very largely a waste of time with lots of talk and little action coming from it apart from the few overt contributions to the power bill fund. Thanks to those people. For those of you who haven't thought of a way to contribute more than your personal $$ or those of your own business, how about what I am doing. I am writing personalised letters to businesses where I have used any OpenBSD technology informing them that my bills have not included a charge for OpenBSD/OpenSSH etc (as it applies to their business). Along those lines I'm drafting a letter to our CIO and other PHBs around the company. I'll most likely be able to get a donation to OpenSSH since we use it on Linux, HP boxes, Cisco stuff, OS X, etc. Any chance a donations link could be added to openssh.org? Greg
Re: carp and random disconnects
On 3/10/06, Stuart Henderson [EMAIL PROTECTED] wrote: On 2006/03/10 12:19, Bryan Irvine wrote: On 3/6/06, Bryan Irvine [EMAIL PROTECTED] wrote: The problem only happens with remote users that come in via T1 and don't go through the gateway. The machines they are connecting to are using 10.0.0.1 as it's gateway and seems to occassionaly choke when receiving an icmp-redirect from 10.0.0.2 (or 10.0.0.3 depending on which one is master) when it has queried 10.0.0.1. Your post is missing a bit of information about the network, but if I'm not mistaken you sometimes have the start of the connection not passing through either firewall? If that's the case either make sure you allow packets from established connections that you don't have state for (this means you lose some of the protection of PF's stateful checking): i.e. don't use flags S/SA in the relevant rules... or rearrange the network routing so you don't need redirects (if you want advice on this you'll definitely need to post more details about the carp/PF setup, how the affected users reach the relevant hosts, etc: output from netstat -rn and ifconfig at strategic places will help illustrate, the PF ruleset may help too). The packets never pass *through* the firewall, but since the firewall is the default gateway it gets queried for certain routes, which pass through one of the cisco's. (Apologies for the ASCII) Internet / \ [fw1]-carp-[fw2] \ / LAN1 | Cisco / \ T1aT1b | | LAN2 LAN3 (There's more than 3 LANs but for simplicity we'll just show 2) So what we have are some servers on LAN1 with a default gateway of the carp IP on the firewalls. Somebody located on either LAN2 or LAN3 telnets to one of those servers, get connected and goes on about their daily business. Sometime later their connection drops. It happened after we installed the carp firewalls, and seems to be related to ICMP-Redirect coming from the real IP, as opposed to the carp one the request went to. pf.conf: ### ## Interface Macros ## WAN = fxp0 DMZ = fxp3 LOOPBACK = lo0 LAN1 = fxp1 LAN2 = fxp2 LANS = { $LAN1 $LAN2 } ALL = { $LAN1 $LAN2 $WAN $DMZ } KENTLEGACY = '192.233.103.0/24' KENT = '10.0.0.0/16' BELLEVUE = '10.1.0.0/16' #Virtual access interface on cisco's VIRTUAL = '192.168.210.0/24' PENINSULA = '192.233.99.0/24' MERCER = '192.168.98.0/24' LEGACYWEB = '207.109.73.0/24' REDMOND = '10.2.0.1/24' WEB = '10.5.1.0/24' #NATS = { $KENTLEGACY $KENT '192.233.100.0/24' '192.168.99.0/24' } NATS = { $KENTLEGACY $KENT $BELLEVUE } # ## Server Macros ## # localhost = 127.0.0.1 firebox2 = 64.1.201.130 Addesk = 64.1.201.146 FTPServer = 64.1.201.147 mailservers = { mx.kcjn.com 10.0.1.1 } ghost = 64.1.201.149 smtp = 64.1.201.150 www3 = www3.kcjn.com www5 = 64.1.201.153 ### ## Port Macros ## ### ftpproxy = 8021 vnc = 5900 ## Start the fun!!! ## set limit { states 2, frags 2} # ## Clean packets ## # scrub in all ## Start up NAT ## nat on $WAN inet from $KENTLEGACY to any - ($WAN) nat on $WAN inet from $KENT to any - ($WAN) nat on $WAN inet from $BELLEVUE to any - ($WAN) nat on $WAN inet from $VIRTUAL to any - ($WAN) #nat on $WAN inet from $NAT4 to any - ($WAN) nat on $WAN inet from $PENINSULA to any - ($WAN) nat on $WAN inet from $MERCER to any - ($WAN) nat on $WAN inet from $LEGACYWEB to any - ($WAN) nat on $WAN inet from $REDMOND to any - ($WAN) nat on $WAN inet from $WEB to any - ($WAN) ### ## spam tarpitting ## ### table spamd persist table spamd-white persist table spamd-mywhite persist file /etc/pf/whitelist.txt rdr pass on $WAN proto tcp from spamd-mywhite to port smtp - mx.kcjn.com port smtp rdr pass on $WAN inet proto tcp from spamd to any port smtp - 127.0.0.1 port 8025 rdr pass on $WAN inet proto tcp from !spamd-white to any port smtp - 127.0.0.1 port 8025 # ## Redirection for squid ## # #don't redirect local connections no rdr on $LANS inet proto tcp from $NATS to { 192.233.100.110 10.0.5.1 10.0.5.2 10.0.5.3 10.0.5.4 64.1.201.149 64.122.4.29 207.109.73.105 207.109.73.66 intranet.horvitznewspapers.net } port www #Don't proxy proxied connections no rdr on $LANS inet proto tcp from { 10.0.5.1 10.0.5.2 10.0.5.3 10.0.5.4 64.1.201.149 64.122.4.29 207.109.73.105 207.109.73.66 } to any port www #redirect rule for Squid #rdr pass on $LANS inet proto tcp from $NATS to any port www - $localhost port 3128 # ## FTP Proxy ## # no rdr on $LANS proto tcp from any to { 10.0.5.8 10.0.0.191
Re: carp and random disconnects
On 3/10/06, Steven S [EMAIL PROTECTED] wrote: Bryan Irvine wrote: ... ... It happened after we installed the carp firewalls, and seems to be related to ICMP-Redirect coming from the real IP, as opposed to the carp one the request went to. ... Interesting, in my experiments carp interfaces didn't send ICMP redirects at all... The CARP interface is not. I'm not sure if it's supposed to or not. I'm guessing because that is the only thing that has changed. With the exception of the carp and pfsync rules, this is the exact same ruleset from the old firewall. here's what I see on the firewall when I try a traceroute to a remote network that goes through a different gateway. 17:51:50.581658 10.0.0.2 10.0.253.236.kent-dhcp.kcjn.com: icmp: time exceeded in-transit 17:51:50.585106 10.0.0.2 10.0.253.236.kent-dhcp.kcjn.com: icmp: time exceeded in-transit 17:51:50.585402 10.0.0.2 10.0.253.236.kent-dhcp.kcjn.com: icmp: time exceeded in-transit The results of the traceroute: 1 10.0.0.2 (10.0.0.2) 0.971 ms 0.268 ms 4.880 ms 2 10.0.0.201 (10.0.0.201) 0.508 ms 0.503 ms 0.359 ms 3 172.19.1.10 (172.19.1.10) 111.714 ms 111.264 ms 111.691 ms 4 172.19.4.10 (172.19.4.10) 111.331 ms 113.438 ms 111.278 ms Am I missing something or barking up the wrong tree? --Bryan
Re: carp and random disconnects
Bryan Irvine wrote: On 3/10/06, Steven S [EMAIL PROTECTED] wrote: Bryan Irvine wrote: ... ... It happened after we installed the carp firewalls, and seems to be related to ICMP-Redirect coming from the real IP, as opposed to the carp one the request went to. ... Interesting, in my experiments carp interfaces didn't send ICMP redirects at all... The CARP interface is not. I'm not sure if it's supposed to or not. I'm guessing because that is the only thing that has changed. With the exception of the carp and pfsync rules, this is the exact same ruleset from the old firewall. here's what I see on the firewall when I try a traceroute to a remote network that goes through a different gateway. 17:51:50.581658 10.0.0.2 10.0.253.236.kent-dhcp.kcjn.com: icmp: time exceeded in-transit 17:51:50.585106 10.0.0.2 10.0.253.236.kent-dhcp.kcjn.com: icmp: time exceeded in-transit 17:51:50.585402 10.0.0.2 10.0.253.236.kent-dhcp.kcjn.com: icmp: time exceeded in-transit The results of the traceroute: 1 10.0.0.2 (10.0.0.2) 0.971 ms 0.268 ms 4.880 ms 2 10.0.0.201 (10.0.0.201) 0.508 ms 0.503 ms 0.359 ms 3 172.19.1.10 (172.19.1.10) 111.714 ms 111.264 ms 111.691 ms 4 172.19.4.10 (172.19.4.10) 111.331 ms 113.438 ms 111.278 ms Am I missing something or barking up the wrong tree? --Bryan I experienced similar issues. The carp interface does not send an ICMP redirect (I have not had the time to find out why) but instead routes the packet, creating state if you're running PF. My users experienced slowness so I ended up adding static routes on the servers (only about 5 of them) for the short-term. There appears to be two things broken, ICMP redirects and routing back through a carp interface. -Steve S.
Re: carp and random disconnects
Bryan Irvine wrote: ... ... It happened after we installed the carp firewalls, and seems to be related to ICMP-Redirect coming from the real IP, as opposed to the carp one the request went to. ... Interesting, in my experiments carp interfaces didn't send ICMP redirects at all... http://marc.theaimsgroup.com/?l=openbsd-miscm=113772490126174w=2 -Steve S.
Re: Ralink USB
On Fri, 10 Mar 2006 21:53:23 +1100, Jonathan Gray wrote: On Fri, Mar 10, 2006 at 09:18:10PM +1100, Rod.. Whitworth wrote: On Fri, 10 Mar 2006 20:42:44 +1100, Jonathan Gray wrote: On Fri, Mar 10, 2006 at 04:54:08PM +1100, Rod.. Whitworth wrote: Today I received a D-Link DWL-G122 . Unfortunately it is not a v. B1 - it is C1. If the box (i386) is booted on a 3.9beta #617 with the device plugged in it gets a dmesg line that says: Ralink 802.11 bg WLAN Class 0/0, rev 2.00/0/01 addr 2, uhub 1 port 2 not configured I expected the last two words in that message - man page told me that B1 was it for a G122. The usbdevs command with -dv says a bit more: port 2 addr 2: full speed, power 300 mA, config 1, 802.11 bg WLAN(0x3c03), Ralink (0x07d1), rev 0.01 Show the .inf file that came with the windows driver and the FCC ID. You having an address in your headers I could send mail to would help matters as well. Sorry about the email address. You can simply prefix the reply to address with the letter g to get to the alternate mailbox or use ash at witworx dot com. Now as to data requested. The FCC ID is easy as they put it on the outside of the plastic case: KA2WLG122C1 It also shows the firmware as Ver 3.00 Apart from the autorun.inf the CD has nothing in the way of .inf files. So I loaded the software and found that there are several infs one of which (named NetRTAGU.inf) does contain a header that says: AG122.INF ; ; This installation script supports Windows 98, Me, 2000 and XP for the ; RT2570 802.11a/b/g USB Adapters. and that looks the closest of all of the files BUT this thing claims only 802.11g and mentions 11b compatibility in passing in the manual. No 11a in sight. Maybe the driver is selective It depends what radio the MAC is paired with as to whether 11a is functional. Does this sound like the file you want? If so shall I attach it to a message directly to you? It is about 16k in size. Try this patch first. You will have to run make in /usr/src/sys/dev/usb/ to regenerate the headers after applying it. Index: sys/dev/usb/usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.185 diff -u -p -r1.185 usbdevs --- sys/dev/usb/usbdevs5 Mar 2006 06:41:36 - 1.185 +++ sys/dev/usb/usbdevs10 Mar 2006 10:47:42 - @@ -283,6 +283,7 @@ vendor ALLIEDTELESYN 0x07c9 Allied Teles vendor AVERMEDIA 0x07ca AVerMedia Technologies vendor SIIG 0x07cc SIIG vendor CASIO 0x07cf CASIO +vendor DLINK2 0x07d1 D-Link vendor APTIO 0x07d2 Aptio Products vendor ARASAN 0x07da Arasan Chip Systems vendor ALLIEDCABLE0x07e6 Allied Cable @@ -847,6 +848,7 @@ product DLINK DWL120E 0x3200 DWL-120 re product DLINK DWL122 0x3700 DWL-122 product DLINK DWL120F 0x3702 DWL-120 rev F product DLINK RT2570 0x3c00 RT2570 +product DLINK2 DWLG122C1 0x3c03 DWL-G122 rev C1 product DLINK DSB650C 0x4000 10Mbps ethernet product DLINK DSB650TX1 0x4001 10/100 ethernet product DLINK DSB650TX0x4002 10/100 ethernet Index: sys/dev/usb/if_ral.c === RCS file: /cvs/src/sys/dev/usb/if_ral.c,v retrieving revision 1.65 diff -u -p -r1.65 if_ral.c --- sys/dev/usb/if_ral.c 19 Feb 2006 08:44:17 - 1.65 +++ sys/dev/usb/if_ral.c 10 Mar 2006 10:47:45 - @@ -90,6 +90,7 @@ static const struct usb_devno ural_devs[ { USB_VENDOR_CISCOLINKSYS, USB_PRODUCT_CISCOLINKSYS_HU200TS }, { USB_VENDOR_CONCEPTRONIC2, USB_PRODUCT_CONCEPTRONIC2_C54RU }, { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_RT2570 }, + { USB_VENDOR_DLINK2,USB_PRODUCT_DLINK2_DWLG122C1 }, { USB_VENDOR_GIGABYTE, USB_PRODUCT_GIGABYTE_GNWBKG }, { USB_VENDOR_GUILLEMOT, USB_PRODUCT_GUILLEMOT_HWGUSB254 }, { USB_VENDOR_MELCO, USB_PRODUCT_MELCO_KG54 }, CVS updated the source tree this morning, patches applied, run make in ../usb was fine, config GENERIC and do the 4 makes and reboot. This looks like success! Tested only on i386 # dmesg OpenBSD 3.9-current (GENERIC) #0: Sat Mar 11 12:42:20 EST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 768 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F XSR,SSE real mem = 335126528 (327272K) avail mem = 298303488 (291312K) using 4116 buffers containing 16859136 bytes (16464K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(13) BIOS, date 11/20/00, BIOS32 rev. 0 @ 0xfb140 apm0 at bios0: Power Management spec V1.2 apm0: AC on, battery charge unknown apm0: flags 70102 dobusy 1 doidle 1 pcibios0 at bios0: rev 2.1 @ 0xf/0xb5c8
Re: Pre-orders for our releases.
On 3/10/06, Diana Eichert [EMAIL PROTECTED] wrote: Talk is really cheap. Getting a business, either the one you work for or a vendor, to donate hardware or funding is much harder. Right. Because for-profit businesses wants to see return on their investment, thus a company will seldom give stuff away because it feels good. So instead of TALKING about it what you MIGHT do, go out and find equipment/funding from somewhere. Once you get something concrete notify Theo of what you have. This process works. I'm working right now to donate hardware (mostly for Todd and Marco). About to ship the small stuff (SCSI and FCAL gear), but it's non-trivial to convince a Fortune 500 to donate anything without even getting a tax write-off in return. For example, two of our sites are upgrading all Mac desktops to G5, literally throwing away dozens of functional Mac G3s, because there is a very short list of tax-deductible charities to which the Company authorizes donation, and it's just easier to send the hardware to the shredder. Last year I gave ten weeks of electricity for the machine room to OpenBSD. Meanwhile my employer bought exactly *two* CDs, and I had to push for that. Kevin Kadow
Re: Ralink USB
On Sat, Mar 11, 2006 at 01:50:12PM +1100, Rod.. Whitworth wrote: On Fri, 10 Mar 2006 21:53:23 +1100, Jonathan Gray wrote: On Fri, Mar 10, 2006 at 09:18:10PM +1100, Rod.. Whitworth wrote: On Fri, 10 Mar 2006 20:42:44 +1100, Jonathan Gray wrote: On Fri, Mar 10, 2006 at 04:54:08PM +1100, Rod.. Whitworth wrote: Today I received a D-Link DWL-G122 . Unfortunately it is not a v. B1 - it is C1. If the box (i386) is booted on a 3.9beta #617 with the device plugged in it gets a dmesg line that says: Ralink 802.11 bg WLAN Class 0/0, rev 2.00/0/01 addr 2, uhub 1 port 2 not configured I expected the last two words in that message - man page told me that B1 was it for a G122. The usbdevs command with -dv says a bit more: port 2 addr 2: full speed, power 300 mA, config 1, 802.11 bg WLAN(0x3c03), Ralink (0x07d1), rev 0.01 Show the .inf file that came with the windows driver and the FCC ID. You having an address in your headers I could send mail to would help matters as well. Sorry about the email address. You can simply prefix the reply to address with the letter g to get to the alternate mailbox or use ash at witworx dot com. Now as to data requested. The FCC ID is easy as they put it on the outside of the plastic case: KA2WLG122C1 It also shows the firmware as Ver 3.00 Apart from the autorun.inf the CD has nothing in the way of .inf files. So I loaded the software and found that there are several infs one of which (named NetRTAGU.inf) does contain a header that says: AG122.INF ; ; This installation script supports Windows 98, Me, 2000 and XP for the ; RT2570 802.11a/b/g USB Adapters. and that looks the closest of all of the files BUT this thing claims only 802.11g and mentions 11b compatibility in passing in the manual. No 11a in sight. Maybe the driver is selective It depends what radio the MAC is paired with as to whether 11a is functional. Does this sound like the file you want? If so shall I attach it to a message directly to you? It is about 16k in size. Try this patch first. You will have to run make in /usr/src/sys/dev/usb/ to regenerate the headers after applying it. Index: sys/dev/usb/usbdevs === RCS file: /cvs/src/sys/dev/usb/usbdevs,v retrieving revision 1.185 diff -u -p -r1.185 usbdevs --- sys/dev/usb/usbdevs 5 Mar 2006 06:41:36 - 1.185 +++ sys/dev/usb/usbdevs 10 Mar 2006 10:47:42 - @@ -283,6 +283,7 @@ vendor ALLIEDTELESYN 0x07c9 Allied Teles vendor AVERMEDIA0x07ca AVerMedia Technologies vendor SIIG 0x07cc SIIG vendor CASIO0x07cf CASIO +vendor DLINK2 0x07d1 D-Link vendor APTIO0x07d2 Aptio Products vendor ARASAN 0x07da Arasan Chip Systems vendor ALLIEDCABLE 0x07e6 Allied Cable @@ -847,6 +848,7 @@ product DLINK DWL120E0x3200 DWL-120 re product DLINK DWL1220x3700 DWL-122 product DLINK DWL120F 0x3702 DWL-120 rev F product DLINK RT25700x3c00 RT2570 +product DLINK2 DWLG122C10x3c03 DWL-G122 rev C1 product DLINK DSB650C 0x4000 10Mbps ethernet product DLINK DSB650TX1 0x4001 10/100 ethernet product DLINK DSB650TX 0x4002 10/100 ethernet Index: sys/dev/usb/if_ral.c === RCS file: /cvs/src/sys/dev/usb/if_ral.c,v retrieving revision 1.65 diff -u -p -r1.65 if_ral.c --- sys/dev/usb/if_ral.c 19 Feb 2006 08:44:17 - 1.65 +++ sys/dev/usb/if_ral.c 10 Mar 2006 10:47:45 - @@ -90,6 +90,7 @@ static const struct usb_devno ural_devs[ { USB_VENDOR_CISCOLINKSYS, USB_PRODUCT_CISCOLINKSYS_HU200TS }, { USB_VENDOR_CONCEPTRONIC2, USB_PRODUCT_CONCEPTRONIC2_C54RU }, { USB_VENDOR_DLINK, USB_PRODUCT_DLINK_RT2570 }, +{ USB_VENDOR_DLINK2,USB_PRODUCT_DLINK2_DWLG122C1 }, { USB_VENDOR_GIGABYTE, USB_PRODUCT_GIGABYTE_GNWBKG }, { USB_VENDOR_GUILLEMOT, USB_PRODUCT_GUILLEMOT_HWGUSB254 }, { USB_VENDOR_MELCO, USB_PRODUCT_MELCO_KG54 }, CVS updated the source tree this morning, patches applied, run make in ../usb was fine, config GENERIC and do the 4 makes and reboot. This looks like success! Tested only on i386 # dmesg OpenBSD 3.9-current (GENERIC) #0: Sat Mar 11 12:42:20 EST 2006 [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC cpu0: Intel Pentium III (GenuineIntel 686-class, 128KB L2 cache) 768 MHz cpu0: FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,MMX,F XSR,SSE real mem = 335126528 (327272K) avail mem = 298303488 (291312K) using 4116 buffers containing 16859136 bytes (16464K) of memory mainbus0 (root) bios0 at mainbus0: AT/286+(13) BIOS, date
Re: OpenBSD - Cisco IPSEC
On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Paolo, As others have said we need more details. I have setup isakmpd and IPSEC in tunnel mode with Cisco PIX's, as well as Cisco 3000 series VPN concentrators (which is really from Altiga Networks). Getting the tunnel established between these devices is never a problem, especially if you define out every section in isakmpd.conf and only offer a single encryption/hash algorithm in your proposals. The biggest problem I have had is rekeying. I have had a lot of issues with tunnels getting out of sync, where my side keeps using XXX SA/SPI, while the other said moves on to another one or the reverse of that. Cisco devices I have seen default their lifetime's to 86400 seconds for IKE and 28800 seconds for IPSEC. This is of course different from isakmpd so you will want to keep that in mind. I would highly recommend you read all the info listed here. https://www.icsalabs.com/icsa/main.php?pid=fggfgd iCSA does interoperability testing between various IPSEC implementations and they cover several Cisco products. As well as in their paper: IPSEC VPN Advanced Troubleshooting - they state that an excellent tools for debugging interoperability problems in the field is OpenBSD's isakmpd. A lot of information on the specific cisco device you want to talk to may be available at http://www.cisco.com/univercd I am also curious as to the successes and failures other people have had with cisco devices and rekeying, especially cisco 3005, cisco 3030 concentrators. -Matt-
Re: OpenBSD - Cisco IPSEC
Hi Diana I did a different search in google and received a lot of irrelevant hits :-( I looked up the mailing list archives but didn't find anything concrete on the subject. I agree that more information is needed but I kept it to the 2nd round of the emails on this subject because 1: I didn't have it at the time. 2: I didn't know exactly what kind of information other's would be interested (and overloading emails with numbers makes others less likely to respond to the email). Now to the subject at hand: The OpenBSD side is simple: OpenBSD 3.8-stable (and 3.9 when it comes out). Since I didn't have time to develop a policy I'm following the other location's policy. The Cisco they have is a 3745 concentrator. The encryption algorithm is 3DES. Hash algorithm is SHA1. DH group 2 (for phase 1) and phase 2 is esp-3des esp-sha-hmac. TIA Paolo Diana Eichert wrote: On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Ehlo More info is required. Cisco is a company that grows via acquisition, therefore they have several different VPN solutions. Also, I did a quick search on Google for Cisco and OpenBSD ipsec and there are over 95k English hits. The very first response is OpenBSD IPSEC with cisco - HOWTO. diana
Re: OpenBSD - Cisco IPSEC
Hi Matthew Thanx for a great reply (even though I didn't supply information). Here is some more information: The OpenBSD side is simple: OpenBSD 3.8-stable (and 3.9 when it comes out). Since I didn't have time to develop a policy I'm following the other location's policy. The Cisco they have is a 3745 concentrator. The encryption algorithm is 3DES. Hash algorithm is SHA1. DH group 2 (for phase 1) and phase 2 is esp-3des esp-sha-hmac. TIA Paolo Matthew Closson wrote: On Fri, 10 Mar 2006, Paolo Supino wrote: Hi I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? TIA Paolo Paolo, As others have said we need more details. I have setup isakmpd and IPSEC in tunnel mode with Cisco PIX's, as well as Cisco 3000 series VPN concentrators (which is really from Altiga Networks). Getting the tunnel established between these devices is never a problem, especially if you define out every section in isakmpd.conf and only offer a single encryption/hash algorithm in your proposals. The biggest problem I have had is rekeying. I have had a lot of issues with tunnels getting out of sync, where my side keeps using XXX SA/SPI, while the other said moves on to another one or the reverse of that. Cisco devices I have seen default their lifetime's to 86400 seconds for IKE and 28800 seconds for IPSEC. This is of course different from isakmpd so you will want to keep that in mind. I would highly recommend you read all the info listed here. https://www.icsalabs.com/icsa/main.php?pid=fggfgd iCSA does interoperability testing between various IPSEC implementations and they cover several Cisco products. As well as in their paper: IPSEC VPN Advanced Troubleshooting - they state that an excellent tools for debugging interoperability problems in the field is OpenBSD's isakmpd. A lot of information on the specific cisco device you want to talk to may be available at http://www.cisco.com/univercd I am also curious as to the successes and failures other people have had with cisco devices and rekeying, especially cisco 3005, cisco 3030 concentrators. -Matt-
Re: OpenBSD - Cisco IPSEC
Paolo Supino wrote: I need to setup an IPSEC VPN between 2 locations. 1 location runs Cisco gear (out of my control) and the other runs OpenBSD (my decision). I've never setup a VPN between Cisco and OpenBSD before (I did between Cisco to Cisco and OpenBSD to OpenBSD) and I was wondering if there are any pitfalls or incompatibilities between Cisco and OpenBSD implementations of IPSEC that will cause problems? In one scenario, I have an OpenBSD box in a remote office doing IPSEC with isakmpd with a Cisco router in a headquarter office. This has been running flawlessly for years.
Re: FW: Pre-orders for our releases.
On Saturday 11 March 2006 07:22, Greg Thomas wrote: On 3/10/06, Craig Ryhorchuk [EMAIL PROTECTED] wrote: I wouldn't go quite that far. Corporate anywhere cares about charity. No, they don't care about charity. They care about tax deductions. Or, in countries where charity donations arent tax deductable, goodwill and reputation. --- Lars Hansson